Skip to main content
CVE-2026-58226 HIGH PATCH This Week

Unauthenticated denial-of-service in elixir-mint's hpax (the HPACK header-compression library for Elixir HTTP/2, versions 0.1.1 through 1.0.3) allows a remote attacker to force superlinear (~O(N²)) CPU consumption by sending a small header block containing an HPACK integer with a long run of continuation octets. Because BEAM integers are arbitrary-precision, the decoder builds an ever-growing bignum with no upper bound, turning a few crafted bytes into a large, attacker-controlled amount of CPU and transient memory - a classic decompression/amplification DoS. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch (version 1.0.4) is available.

RCE Hpax
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-4249 HIGH PATCH This Week

Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffic Manager, and WSO2 API Control Plane - allows an unauthenticated remote attacker to send malicious JSON payloads to the throttling event handling mechanism, crashing or corrupting API Gateway state so that legitimate API traffic can no longer be processed. Because the outage is persistent and requires manual intervention to restore service, and the CVSS scope is changed (S:C), a single request can take down the entire API Gateway tier. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Denial Of Service Wso2 Universal Gateway Wso2 Traffic Manager Wso2 Api Control Plane Wso2 Api Manager
NVD VulDB
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-14471 HIGH PATCH This Week

SQL injection in the Amazon (agentic-community) mcp-gateway-registry before 1.0.13 allows an authenticated remote user to execute arbitrary SQL queries by supplying a crafted table_name that the metrics-service retention policy component interpolates directly into SQL in identifier position. Because the injection sits in an identifier (table name) position rather than a parameterizable value, it bypasses ordinary prepared-statement protections and grants broad read/write access to the metrics datastore. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; a vendor patch (v1.0.13) is available.

SQLi Mcp Gateway Registry
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-57573 HIGH PATCH This Week

Server-side request forgery in Crawl4AI's Docker API server (versions prior to 0.9.0) lets a remote unauthenticated client coerce the server into fetching attacker-chosen internal, private, or link-local URLs and streaming the response body back. The SSRF destination allowlist check was enforced on the non-streaming /crawl path but omitted from the streaming code path, so requests to POST /crawl/stream - or POST /crawl with crawler_config.stream=true - bypass validation entirely. No public exploit identified at time of analysis, but the fix is public in commit 60886d1 and the root cause (a guard applied to one path but not its sibling) is trivial to reproduce.

SSRF Docker Crawl4ai
NVD GitHub
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-53644 HIGH This Week

Broken object-level authorization in FOSSBilling 0.5.3 through 0.7.2 lets an authenticated client read and reset API key service secrets belonging to orders that are no longer active, such as suspended or canceled orders. Two client API endpoints skip the order-state check that the frontend UI and the module's own isActive() helper otherwise enforce, exposing high-value credentials to any logged-in customer for their non-active services. There is no public exploit identified at time of analysis, and the flaw is fixed in version 0.8.0.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-59712 HIGH PATCH This Week

Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row - password hashes, TOTP secrets, and session tokens - by invoking the users.getUser method with arbitrary user IDs (CWE-639, broken object-level authorization). Because the API returns records without verifying the caller owns or is authorized for the requested ID, a low-privileged user can enumerate and harvest credentials for every account, including administrators. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.6 (High).

Authentication Bypass Leantime
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-59713 HIGH PATCH This Week

Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a victim into an attacker-controlled account. The root cause is a stubbed verifyState() method that unconditionally returns true, so the OIDC state parameter is never validated, letting a crafted callback URL carrying an attacker-supplied authorization code complete login as the attacker. No public exploit identified at time of analysis, but a vendor patch and a public technical advisory (VulnCheck) exist; CVSS 4.0 is rated 8.6 (High).

CSRF Leantime
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-40141 HIGH PATCH NEWS This Week

Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.

Nosql Injection Information Disclosure Remote Support Privilege Remote Access
NVD
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-53645 HIGH This Week

Persistent privilege escalation in FOSSBilling versions prior to 0.8.0 lets a low-privileged staff account holding only the staff.create_and_edit_staff permission promote itself to arbitrary permissions via the admin API, defeating role-based access control. By calling /api/admin/staff/permissions_update against its own account, the staff user writes any permission structure and effectively gains full administrative control. Rated CVSS 4.0 8.5 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV, but the attack is trivially reproducible once a qualifying staff account exists.

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2025-53828 HIGH PATCH This Week

Server-side request forgery escalating to remote code execution in the SharePoint for ownCloud app (versions prior to 0.4.1, bundled with ownCloud 10 before 10.15.3) lets an already-authenticated administrator coerce the server into making attacker-controlled requests that ultimately run arbitrary code on the host. The flaw is tagged RCE/SSRF and carries an 8.5 CVSS with a scope change (S:C), reflecting that abuse of the SharePoint integration crosses a trust boundary into the underlying system. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-and-move-on issue rather than an active-threat emergency.

SSRF Microsoft RCE Sharepoint Owncloud 10
NVD GitHub
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-55786 HIGH POC PATCH GHSA This Week

Unauthenticated OS command execution in flyto-core (Python package, confirmed on 2.26.2) allows any client that can reach the HTTP MCP endpoint (POST /mcp) to run arbitrary shell commands as the server process. The JSON-RPC tools/call handler lacks the require_auth dependency present on the equivalent REST route, so an attacker can invoke execute_module against sandbox.execute_shell and reach asyncio.create_subprocess_shell with attacker-controlled input. Publicly available exploit code exists (a curl one-liner and poc.py in the advisory); there is no CISA KEV listing and no EPSS score provided, and by default the server binds to 127.0.0.1, making this a local (CVSS 8.4) issue that becomes network-exploitable only when started with --host 0.0.0.0.

Command Injection Python Authentication Bypass Docker
NVD GitHub
CVSS 3.1
8.4
CVE-2026-6901 HIGH This Week

Local privilege/code manipulation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) arises from an untrusted search path (CWE-426), allowing a low-privileged local user to plant a malicious executable or library that the application loads from an attacker-influenced directory. Successful exploitation yields high confidentiality and integrity impact on the affected engineering/operator station. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.4 (High).

Information Disclosure Aprol
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-55427 HIGH PATCH GHSA This Week

SSH configuration injection leading to arbitrary code execution in Coder's `coder config-ssh` CLI command allows a malicious or compromised Coder server to write attacker-controlled directives into a developer's `~/.ssh/config`. The command copied server-supplied `HostnameSuffix` and `SSHConfigOptions` values verbatim without stripping newlines, letting an attacker in control of those values inject a directive such as `ProxyCommand` that runs on every SSH connection from the workstation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was found and disclosed by Anthropic's Security Team and is fixed across all supported release lines.

RCE
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.5%
CVE-2026-55428 HIGH PATCH GHSA This Week

Traffic interception in Coder's tailnet coordinator allows a malicious workspace agent to hijack another agent's tailnet address by advertising forged WireGuard AllowedIPs prefixes. The coordinator authorizes an agent's Addresses against its authenticated UUID but performs no equivalent check on AllowedIPs, which it forwards verbatim to tunnel peers; because ServerTailnet routes by tailnet IP, an attacker who claims a victim's prefix can intercept web terminal and workspace app traffic and serve spoofed content. Rated CVSS 8.2 (CWE-285, improper authorization); a vendor patch is available and no public exploit is identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-43825 HIGH PATCH This Week

Untrusted Java deserialization in Apache OpenNLP's SvmDoccatModel (libsvm document categorization module, versions 3.0.0-M1 through before 3.0.0-M4) lets an attacker who supplies a crafted serialized stream to the public static SvmDoccatModel.deserialize(InputStream) trigger deserialization of an arbitrary object graph before the SvmDoccatModel cast occurs. Where a usable gadget chain exists on the consuming application's classpath, this yields remote code execution in the loading JVM; OpenNLP ships no gadget itself, so realistic risk falls on downstream apps that embed the module alongside vulnerable transitive dependencies. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the SSVC assessment marks it automatable with partial technical impact.

Deserialization Java RCE Apache Apache Opennlp
NVD
CVSS 3.1
7.3
EPSS
4.8%
CVE-2026-54291 HIGH PATCH This Week

Channel-binding downgrade in the pgjdbc PostgreSQL JDBC Driver (releases 42.7.4 through 42.7.11) lets an active man-in-the-middle silently strip SCRAM-SHA-256-PLUS channel binding down to plain SCRAM-SHA-256 even when the client explicitly set channelBinding=require, defeating the exact protection that setting promises. The flaw stems from the bundled com.ongres.scram:scram-client returning an empty binding for certificates whose signature algorithm lacks a tls-server-end-point hash, combined with pgJDBC's ScramAuthenticator failing to reject that empty binding. No public exploit identified at time of analysis and it is not listed in CISA KEV; it is fixed in 42.7.12.

PostgreSQL Information Disclosure Pgjdbc
NVD GitHub
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-59195 HIGH PATCH This Week

Arbitrary out-of-tree file/symlink write via path traversal in pnpm before 10.34.4 and 11.8.0 allows a malicious repository to escape node_modules/.pnpm-config by committing a crafted pnpm-lock.yaml whose env-lockfile configDependencies section carries a traversal-shaped package name. When a victim runs pnpm install, pnpm trusts that attacker-controlled name and creates a config-dependency symlink at the derived path, letting an attacker place symlinks outside the intended directory. No public exploit is identified at time of analysis, but exploitation only requires the victim to install dependencies from the poisoned repo (UI:R); CVSS is 8.2 (High) with a scope change.

Path Traversal Pnpm
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-46591 HIGH PATCH This Week

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMatchProperties map to execute arbitrary Cypher queries against the connected Neo4j database, enabling unauthorized read, modification, or deletion of any node or relationship. The flaw exists across three release streams (4.10.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) and is a direct bypass of the partial fix introduced in CVE-2025-66169, which bound property values as query parameters but left property names (JSON keys) concatenated verbatim into the WHERE clause. No public exploit code or CISA KEV listing has been identified at time of analysis, though the prior related CVE in the same producer indicates recurring injection exposure in this component.

Code Injection Nosql Injection Apache Apache Camel
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2025-53831 HIGH PATCH This Week

Stored cross-site scripting in the DrawIO for ownCloud app (versions prior to 1.0.2, shipping with ownCloud 10 before 10.15.3) allows an authenticated user with access to the DrawIO app to persist a malicious payload that later executes in another user's browser session. Because the payload is stored and rendered to victims within the trusted ownCloud origin, it can hijack sessions or act on the victim's behalf. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

XSS Drawio For Owncloud Owncloud 10
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-43865 HIGH PATCH This Week

Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelcast cluster to run arbitrary code on every Camel node. The flaw exists because Camel-created Hazelcast instances apply no Java deserialization filter by default, so crafted serialized objects sent over the cluster protocol are deserialized (ObjectInputStream.readObject) before Camel processes them. It affects Camel 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x whenever a hazelcast consumer or repository uses Camel's own default configuration; there is no public exploit identified at time of analysis and EPSS is low (0.49%, 39th percentile).

Deserialization Java RCE Apache Apache Camel
NVD VulDB
CVSS 3.1
8.1
EPSS
0.5%
CVE-2026-40859 HIGH PATCH This Week

Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a producer endpoint deserializes 5xx HTTP response bodies marked application/x-java-serialized-object through a raw java.io.ObjectInputStream with no class filtering. Exploitation is limited to non-default deployments where transferException=true or allowJavaSerializedObject=true is set and throwExceptionOnFailure remains true, letting an attacker who controls or intercepts the backend deliver a malicious serialized object and, given a gadget chain on the classpath, run code on the Camel host. This is a vendor-reported (Apache) issue with a publicly available advisory; there is no public exploit identified at time of analysis and EPSS is low at 0.39% (31st percentile).

Deserialization Java RCE Apache Apache Camel
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-54771 HIGH PATCH GHSA This Week

Unauthorized tool invocation in the Langroid Python LLM-agent framework lets a user of an exposed chat interface directly execute server-side tool handlers by sending raw tool JSON, even when the tool was registered with use=False, handle=True. Because the dispatch path (agent_response → handle_message → get_tool_messages) never checks whether a message originated from Entity.USER versus Entity.LLM, the use=False guard — which developers reasonably assume blocks end-user invocation — only stops the LLM from emitting the tool, not a user from calling it. A working PoC exists in the advisory (publicly available exploit code exists); depending on which handled tools are enabled, this yields file read/write, database queries, or access to internal orchestration tools.

Python Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-42527 HIGH PATCH This Week

Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern bundled with several components ('java.**;javax.**;org.apache.camel.**;!*') uses a recursive java.** glob that allow-lists java.net.URL and java.net.InetAddress. Remote attackers who can deliver a Java-serialized payload to an affected Camel consumer - most notably the camel-jms family, where JmsBinding.extractBodyFromJms calls ObjectMessage.getObject() by default (mapJmsMessage=true) - can force the JVM to issue DNS queries to an attacker-controlled host during deserialization side-effects, yielding an observable out-of-band channel. Reported by Apache; there is no public exploit identified at time of analysis, EPSS is low (0.31%, 23rd percentile), and it is not listed in CISA KEV.

Deserialization Apache Apache Camel
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-53829 HIGH PATCH This Week

Remote code execution in ownCloud 10 (before 10.15.3) lets an authenticated administrator abuse a relative path traversal weakness to write or reference files outside intended directories and execute arbitrary code on the server. The high-privilege requirement (PR:H) and high attack complexity (AC:H) constrain who can trigger it, but successful exploitation yields full compromise with a scope change beyond the application context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.

Path Traversal RCE Owncloud 10
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-54763 HIGH PATCH This Week

Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker reaching a protected route smuggle an underscore-variant HTTP header past the BasicAuth, DigestAuth, and ForwardAuth middlewares' sanitization. Traefik strips canonical dashed spoofed headers before setting its own trusted value but ignores underscore forms (e.g. X_Forwarded_User vs X-Forwarded-User) that many backends normalize identically, so the forged header reaches the backend alongside — or, on the ForwardAuth authResponseHeaders path, instead of — Traefik's intended value. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a vendor fix and upstream commit are published.

Code Injection Canonical Traefik
NVD GitHub
CVSS 4.0
7.8
EPSS
0.3%
CVE-2026-58380 HIGH This Week

Stack-based memory corruption in GIMP's PNM image parser lets an attacker execute code or crash the application when a victim opens a malicious PNM/PBM/PGM/PPM file. The flaw is an off-by-one in pnmscanner_gettoken() that writes a null terminator one byte past a stack buffer; it is local and requires the user to open the crafted file (UI:R). No public exploit is identified at time of analysis, and EPSS is low (0.12%), consistent with the CISA SSVC 'Exploitation: none' judgment.

Denial Of Service Buffer Overflow RCE Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-21379 HIGH This Week

Local privilege escalation via memory corruption affects Qualcomm Snapdragon platforms, where allocating memory with sizes exceeding the maximum allowed value corrupts adjacent memory (CWE-126, buffer over-read/overflow). A local attacker with low privileges (PR:L) and no user interaction can compromise confidentiality, integrity, and availability (all High), scoring CVSS 7.8. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-59616 HIGH This Week

Use-after-free memory corruption in Qualcomm Snapdragon platform driver code allows a local low-privileged process to trigger access of already-freed memory by issuing multiple IOCTL calls that reference the same buffer file descriptor. A successful attacker gains full compromise of confidentiality, integrity, and availability on the affected device, which in practice can mean kernel-level code execution or privilege escalation from an unprivileged app. There is no public exploit identified at time of analysis, EPSS is negligible (0.09%, 1st percentile), and CISA SSVC records no known exploitation.

Memory Corruption Buffer Overflow Use After Free Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-59615 HIGH This Week

Local privilege escalation via memory corruption affects a broad range of Qualcomm Snapdragon chipsets, where a use-after-free condition in the device driver's input/output control (ioctl) path for mapping and unmapping persistent memory buffers can be triggered by an authenticated local application. Improper synchronization on these operations lets a low-privileged process corrupt kernel memory to gain full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is very low (0.09%), consistent with CISA SSVC scoring exploitation as none.

Memory Corruption Buffer Overflow Use After Free Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-55426 HIGH PATCH GHSA This Week

Local privilege escalation in Linuxfabrik Monitoring Plugins (and the underlying linuxfabrik-lib Python library) lets an attacker who already controls the low-privileged nagios account execute arbitrary OS commands, typically as root. The flaw stems from the library's shell_exec() helper splitting assembled command strings on the pipe (|) character, so user-controlled plugin arguments such as restic-check's --repo can inject additional commands. Publicly available exploit code exists (a PoC is included in the vendor advisory), but the issue is not listed in CISA KEV and no EPSS score was provided.

Command Injection Privilege Escalation
NVD GitHub
CVSS 3.1
7.8
CVE-2026-14468 HIGH PATCH This Week

Arbitrary file read in HashiCorp Terraform Enterprise allows an authenticated user to escape the intended repository boundary during VCS-based registry module ingestion, pulling files from outside the source repository into a packaged module and downloading them. Because the ingestion process runs with its own filesystem privileges, an attacker can exfiltrate sensitive files (secrets, configuration, tokens) readable by that process. Reported by HashiCorp with no public exploit identified at time of analysis; the CVSS 7.7 (scope-changed) score reflects high confidentiality impact against a self-hosted enterprise platform.

Hashicorp Path Traversal Terraform Enterprise
NVD VulDB
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-9165 HIGH This Week

Authenticated denial of service in Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4 allows any user holding a valid API token to exhaust Central's resources. Because Central does not cap the nesting depth of queries served on its authenticated GraphQL API, a single deeply nested query can drive excessive CPU and memory consumption and take down the RHACS management plane. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the low-privilege network vector makes it trivial for any token holder to trigger.

Kubernetes Red Hat Denial Of Service Red Hat Advanced Cluster Security 4
NVD
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-42331 HIGH PATCH This Week

Broken access control in FOSSBilling before 0.8.0 lets an unauthenticated attacker who knows an unpaid invoice's hash change the payment gateway (gateway_id) tied to that invoice, because the Guest API invoice/update endpoint omits an authorization check that its sibling invoice endpoints enforce. The attacker can only select gateways an administrator has already installed and configured, and the impact is further gated by the invoice_accessible_from_hash setting, so it cannot redirect funds to an arbitrary external endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Fossbilling
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-53646 HIGH This Week

Account takeover in FOSSBilling 0.5.6 through 0.7.2 arises because the reset_password guest API endpoint reuses an existing, unexpired ClientPasswordReset token rather than rotating it on each request. An attacker who has captured a victim's earlier reset link retains a valid path to hijack the account even after the victim requests a fresh reset, since the original token is never invalidated and its 15-minute window is anchored to the first request. No public exploit is identified at time of analysis, and the CVSS 4.0 score is 7.7 (High); version 0.8.0 fixes the flaw.

Information Disclosure Nginx Apache
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-54641 HIGH PATCH GHSA This Week

Cross-tenant information disclosure in OpenRemote Manager lets a realm admin of one tenant read the profile, realm roles, and client roles of any user in any other realm - including the privileged master realm - simply by supplying the target user's UUID in the REST API path. Three read endpoints in UserResourceImpl verify the caller's read:admin role but never confirm the target user belongs to the caller's realm, breaking multi-tenant isolation for user data. Publicly available exploit code exists (a working curl-based PoC with live-instance HTTP 200 responses is documented), though it is not listed in CISA KEV and no active exploitation is confirmed.

Authentication Bypass Java
NVD GitHub
CVSS 3.1
7.7
CVE-2026-58250 HIGH PATCH This Week

Remote denial of service in the NATS Server (nats-io/nats-server) leafnode subsystem allows unauthenticated attackers to crash the entire server by sending a second INFO protocol message before CONNECT on the leafnode port, triggering a nil-pointer dereference (c.acc == nil) that panics the process. All server instances exposing a leafnode listener prior to v2.11.17 (2.11.x) and v2.12.8 (2.12.x) are affected. No public exploit has been identified, but the vendor's own regression test (TestLeafNodeSecondInfoBeforeConnectDoesNotPanic) demonstrates the exact crash payload, and the CVSS availability-only vector (7.5) reflects a single-packet, no-auth crash.

Denial Of Service Null Pointer Dereference Nats Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-58210 HIGH PATCH This Week

Denial of service in NATS Server (nats-server) MQTT handler allows a remote, unauthenticated client to exhaust server memory by sending an MQTT CONNECT packet that declares a large variable-length 'remaining length' before authentication completes. Because the pre-connection MQTT parser failed to enforce the configured max_payload limit, the server would buffer attacker-controlled data unbounded, degrading or crashing the broker (CVSS 7.5, availability-only impact). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed by upstream commits, releases, and a GitHub Security Advisory.

Denial Of Service Nats Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-9181 HIGH This Week

Unauthenticated file disclosure in Esri ArcGIS Server (all versions 12.0 and prior) lets remote attackers read sensitive files by supplying crafted path parameters that escape the intended directory. The flaw is network-reachable with no authentication or user interaction and, per CISA's SSVC framework, is automatable with total technical impact, though no public exploit has been identified and EPSS exploitation probability remains modest at 0.72%. Esri disclosed and patched the issue in its May 2026 ArcGIS security bulletin.

Path Traversal Arcgis Server
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-58208 HIGH PATCH This Week

Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT disabled; per the GHSA-p957-7v2w-g93g advisory and the fixing commit, an unauthenticated attacker can send an MQTT-over-WebSocket upgrade request to the WebSocket endpoint while MQTT is turned off, triggering an uncaught exception (CWE-248) that crashes the server (CVSS 7.5, availability-only impact). This is a Linux Foundation CNCF messaging component fixed in nats-server 2.12.12 and 2.14.3. No public exploit identified at time of analysis; not listed in CISA KEV, and EPSS is low at 0.53% (41st percentile), consistent with the SSVC assessment of exploitation 'none' and only partial technical impact.

Information Disclosure Nats Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-54640 HIGH PATCH GHSA This Week

Arbitrary file read in OpenRemote's KNXProtocol asset-import handler lets any authenticated user (PR:L, any realm) upload a malicious ETS project ZIP whose 0.xml is parsed via Saxon XSLT and XMLInputFactory without XXE hardening, resolving external entities to exfiltrate server files such as /etc/passwd, openmrs-runtime.properties, and cloud credential files, with SSRF against internal endpoints as a secondary impact. This is an incomplete-fix regression of CVE-2026-40882, which only hardened the parallel Velbus handler and left KNXProtocol's two XML parsing calls unprotected. A full working proof-of-concept reproducing both parsing stages is publicly available; the vulnerability is not listed in CISA KEV.

XXE SSRF Java Apache
NVD GitHub
CVSS 3.1
7.6
CVE-2026-55379 HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 lets a crafted BDF font file exhaust available memory and crash the host application. The BdfFontFile parser trusts the attacker-supplied BBX width/height fields and hands them to Image.new() while skipping Pillow's decompression-bomb size check, so a tiny malicious font can request a huge in-memory bitmap. Impact is availability-only (denial of service); there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Python Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55380 HIGH PATCH This Week

Denial-of-service via memory exhaustion in Python Pillow before 12.3.0 allows a crafted GD-format (.gd) image to trigger excessive C-heap allocation when opened, because GdImageFile._open() reads image dimensions straight from the GD 2.x header without invoking Pillow's Image._decompression_bomb_check() guard. Any application that loads untrusted .gd files with a vulnerable Pillow version can be crashed or driven into out-of-memory conditions. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 (availability-only impact).

Python Information Disclosure Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54060 HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 allows a maliciously crafted font file to trigger excessive memory consumption and denial of service when its glyphs are compiled into a combined bitmap. FontFile.compile() builds the output image via Image.new("1", (xsize, ysize)) without invoking Pillow's decompression-bomb guard, so oversized glyph dimensions are allocated unchecked during conversion or saving. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the availability-only impact (CVSS 7.5) reflects resource exhaustion rather than code execution or data disclosure.

Python Information Disclosure Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54234 HIGH PATCH This Week

Denial of service in the vLLM LLM inference server (all versions prior to 0.24.0) allows a remote client to crash the shared engine worker by sending a specific multi-request speculative decoding workload. The rejection sampler produces a recovered token equal to the vocabulary-size boundary, which is coerced to -1, written back into the drafter's input ids, and later dereferenced by the embedding/attention path, triggering a GPU device-side assertion that kills the worker. There is no public exploit identified at time of analysis and this CVE is not in CISA KEV; per CVSS the impact is availability-only (C:N/I:N/A:H) with a low EPSS profile expected for a crash-only bug.

Denial Of Service Vllm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54059 HIGH PATCH This Week

Uncontrolled memory allocation in the Python Pillow imaging library (all versions prior to 12.3.0) allows a crafted PCF bitmap font to exhaust process memory and crash the host application. The PcfFontFile bitmap loader trusts attacker-supplied glyph dimensions from the font's METRICS section and hands them straight to Image.frombytes() while skipping Pillow's decompression-bomb guard. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is an availability-only denial of service (CVSS 7.5), not the information disclosure implied by the source tag.

Python Information Disclosure Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55727 HIGH PATCH This Week

Unauthenticated video stream access in Genetec Security Center 5.14.0.0 (builds prior to 5.14.178.18) lets remote attackers pull live video feeds by exploiting a flaw in the authentication mechanism that guards video stream requests. Because the CVSS vector is AV:N/PR:N/UI:N, no credentials or user interaction are needed, and the CWE-287 root cause means the stream endpoint fails to properly verify the requester's identity. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.

Authentication Bypass Genetec Security Center
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13753 HIGH This Week

Information disclosure in HP Deskjet 2800 Series printers running firmware TBP1CN2612AR or earlier lets an unauthenticated attacker on the network read sensitive configuration - including plaintext Wi‑Fi Direct credentials, device identity, and administrative security state - by sending plain GET requests to administrative API endpoints. The same data is gated behind administrator login in the web UI, so these API endpoints bypass the product's own access-control model. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

HP Information Disclosure Hp 2800 Printer Series
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46457 HIGH PATCH This Week

Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS client that can publish to a consumed subject to inject arbitrary Camel-internal control headers into the Exchange because the consumer's default DefaultHeaderFilterStrategy has no inbound filter rules. An attacker can override headers such as CamelHttpUri, CamelFileName, or CamelSqlQuery to redirect HTTP producers, rename files, or alter queries in downstream route steps. No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile) and CISA SSVC lists exploitation as none, but the flaw is remotely reachable without credentials when the NATS server runs with its default (no-auth) configuration.

Information Disclosure Microsoft Apache Apache Camel
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-46585 HIGH PATCH This Week

Query injection and authorization bypass in the Apache Camel Lucene component (camel-lucene) lets remote unauthenticated HTTP clients override the full-text search a route intends to run. Because the raw header names QUERY and RETURN_LUCENE_DOCS lack the Camel/camel prefix, HttpHeaderFilterStrategy does not strip them at the HTTP boundary, so an attacker-supplied header flows straight into the Exchange and executes against the index - enabling disclosure of documents the requester should not see (e.g. a match-all query dumping the whole index) and CPU-heavy regex queries. Affects 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; no public exploit identified at time of analysis, and EPSS is low (0.16%, 6th percentile).

Authentication Bypass Microsoft Apache Apache Camel Lucene
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-24012 HIGH PATCH This Week

Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submitting a single query whose time span and aggregation interval are unbounded. Because the affected query interface enforces no reasonable limit on these parameters, a request combining a very large time range with a minimal interval forces the DataNode to materialize an enormous result set in memory, exhausting the Java heap. No public exploit has been identified at time of analysis and the issue is not in CISA KEV, but the fix is easy to reverse-engineer from the version bump to 2.0.8.

Java Denial Of Service Apache Apache Iotdb
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy